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DETAILED ACTION 



Claims 1-20 have been examined. 



Claim Rejections - 35 USC §103 



2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 



3. Claims 1-4 are rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton 
U.S. Pat. No. 5469556 (hereinafter Clifton) in view of Negishi et al. U.S. Pat. No. 
6571278 (hereinafter Negishi) and further in view of Sampson et al. U.S. Pat. No. 
6339423 (hereinafter Sampson). 

As per claim 1, Clifton discloses a computer-readable medium having 
computer-executable instructions for protecting domain data against unauthorized 
modification (Clifton: column 2 line 28 - column 4 line 34: provide resource access 
security system), comprising: receiving a request to modify an object (Clifton: column 3 
line 67 - column 4 line 8: user information related to the requested resources), the object 
including a security descriptor identifying an owner domain in the plurality of domains 
(Clifton: column 3 lines 8-52: using the resource descriptor... and identify the domain); 
determining whether the user is within the owner domain (Clifton: column 3 line 54 - 
column 4 line 8: the requester's information and the domain table); and if the user is not 
within the owner domain, rejecting the request to modify the object (Clifton: column 4 
lines 18-25: access is only permitted to the resource identified by the user/job, domain, 
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and page information). Clifton does not explicitly disclose the receiving at a first 
computing machine a request to modify an object associated with a shared data structure 
and plurality of computers involved in the network. However, Negishi discloses that 
limitation (Negishi: column 2 lines 26-42: receiving modification request). The user 
disclosed by Clifton can be represented by computers disclosed by Negishi to apply to the 
data sharing security system. It would have been obvious to one having ordinary skill in 
the art to combine the teachings of Negishi within the system of Clifton because it 
increases network security by first identifying the security of the requester. The 
combination of Clifton-Negishi does not explicitly disclose the shared data structure 
spanning a plurality of domains. However, Sampson discloses that limitation (Sampson: 
figure 1 and 2 and column 4 lines 14-56). It would have been obvious to one having 
ordinary skill in the art to combine the teachings of Sampson within the combination of 
Clifton-Negishi because it decreases the number of authentication process performed by 
each domain when a user wishes to access resources from multiple domains. 

As per claim 2, the combination of Clifton-Negishi-Sampson discloses the 
computer-readable medium of claim 1. Clifton further discloses if the first computing 
machine is within the owner domain, allowing the request to modify the object (Clifton: 
column 4 lines 18-25: access is only permitted to the resource identified by the user, 
domain, and page information). 

As per claim 3, the combination of Clifton-Negishi-Sampson discloses the 
computer-readable medium of claim 1. Negishi further discloses the shared data structure 
includes at least one data store that is replicated among each of the plurality of domains, 
and wherein the object is contained within the replicated data store (Negishi: column 2 
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lines 25-42: the replica of the shared data; column 4 lines 27-39: the number of 
computers is not limited to two). It would have been obvious to one having ordinary skill 
in the art to combine the teachings of Negishi within the combination of Clifton-Negishi- 
Sampson because it prevents modification conflict to take place on the actual data by 
resolving the conflict detected in the replicated shared file storage. 

As per claim 4, the combination of Clifton-Negishi-Sampson discloses the 
computer-readable medium of claim 1. Clifton further discloses determining whether the 
first computing machine is within the owner domain comprises retrieving from the 
security descriptor the identity of the owner domain and comparing the owner domain 
identity to the domain within which the first computing machine resides (Clifton: column 
3 line 18 - column 4 line 26: use the domain information to determine access). 



4. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton in 
view of Negishi and further in view of Sampson and further in view of Dockter et al. U.S. 
Pat. No. 6295605 (hereinafter Dockter). 

As per claim 5, the combination of Clifton-Negishi-Sampson discloses the 
computer-readable medium of claim 1. Clifton-Negishi-Sampson does not explicitly 
discloses the security descriptor further comprises a field that indicates whether a special 
security evaluation should be performed on requests to modify the object, and wherein 
the computer executable instructions further comprise, if the field indicates that the 
special security evaluation should be performed, causing the special security evaluation 
to be performed. However, Dockter discloses that limitation (Dockter: column 3 lines 30- 
38: system resource/object are assigned classification level; column 4 line 43 - column 5 
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line 23: further security evaluation is required if the preceding evaluation cannot 
determine the access). It would have been obvious to one having ordinary skill in the art 
to include information in the security descriptor to indicate further security evaluation is 
required when previous security evaluation cannot determine access to resource. 
Therefore, it would have been obvious to one having ordinary skill in the art to combine 
the teachings of Dockter within the combination of Clifton-Negishi-Sampson because it 
increases the efficiency in evaluating access security. 



5. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Clifton in 
view of Negishi and further in view of Sampson and further in view of Dockter and 
further in view of Goertzel et al. U.S. Pat. No. 6308273 (hereinafter Goertzel). 

As per claim 6, the combination of Clifton-Negishi-Sampson-Dockter discloses 
the computer-readable medium of claim 5. Clifton-Negishi-Sampson-Dockter does not 
explicitly disclose the special security evaluation comprises causing requesting that a 
second computing machine within the owner domain evaluate whether an entity issuing 
the request to modify the object is authorized to modify the object. However, Goertzel 
discloses that limitation (Goertzel: column 5 lines 31-67: check the location and domain 
of the requesting computer). It would have been obvious to one having ordinary skill in 
the art to combine the teachings of Goertzel within the combination of Clifton-Negishi- 
Sampson-Dockter because it increases network resource security by limiting access to 
uncertain domains. 
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6. Claims 7-12 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Clifton in view of Goertzel and further in view of Negishi and further in view of Dockter. 

As per claim 7, Clifton discloses a computer-implemented method for protecting 
domain data against unauthorized modification (Clifton: column 2 line 28 - column 4 
line 34: provide resource access security system), comprising: receiving a request from 
an user in a first domain to modify an object, the request identifies at least one group of 
which the requester is a member (Clifton: column 3 line 54 - column 4 line 8: the 
requester's information and the domain table), the object having an associated security 
descriptor identifying an owner domain for the object (Clifton: column 3 lines 8-52: 
using the resource descriptor. . .and identify the domain). Clifton does not explicitly 
disclose security token identifying at least one group of which the requester is a member. 
However, Goertzel discloses that limitation (Goertzel: column 9 lines 5-43: the access 
token has security identifier based on user's credentials and group ID). It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Goertzel 
within the system of Clifton because it allows first level security evaluation to be 
performed based on the user's credentials. The combination of Clifton-Goertzel does not 
explicitly disclose the receiving at a first computing machine a request to modify an 
object associated with a shared data structure and plurality of computers involved in the 
network. However, Negishi discloses that limitation (Negishi: column 2 lines 26-42: 
receiving modification request). It would have been obvious to one having ordinary skill 
in the art to replace user/job disclosed by Clifton by computers disclosed by Negishi to 
apply to the data sharing/network security system. Therefore, it would have been obvious 
to one having ordinary skill in the art to combine the teachings of Negishi within the 
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combination of Clifton-Goertzel because it increases network security by first identifying 
the security of the requester. The combination of Clifton-Goertzel-Negishi does not 
explicitly disclose the object having a flag to identify whether a special security 
evaluation is to be performed on requests to modify the object; determining from the flag 
whether the special security evaluation is to be performed on the request to modify the 
object; if the flag indicates in the affirmative, then performing the special security 
evaluation on the request to modify the object; and if the special security evaluation 
approves the request to modify the object then allowing the request to modify the object 
to proceed. However, Dockter discloses that limitation (Dockter: column 3 lines 30-38: 
system resource/object are assigned classification level; column 4 line 43 - column 5 line 
23 : further security evaluation is required if the preceding evaluation cannot determine 
the access). It would have been obvious to one having ordinary skill in the art to include 
information in the security descriptor to indicate further security evaluation is required 
when previous security evaluation cannot determine access to resource. Therefore, it 
would have been obvious to one having ordinary skill in the art to combine the teachings 
of Dockter within the combination of Clifton-Goertzel-Negishi because it increases the 
efficiency in evaluating access security. 

As per claim 8, the combination of Clifton-Goertzel-Negishi-Dockter discloses 
the method according to claim 7. Dockter further discloses the special security evaluation 
comprises passing the security token associated with the request and the security 
descriptor associated with the object to the owner domain for evaluation (Dockter: 
column 2 lines 31-50: acquire qualification data regarding to the access request). It would 
have been obvious to one having ordinary skill in the art to combine the teachings of 
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Dockter within the combination of Clifton-Goertzel-Negishi because it is well known in 
the art to execute access control based on user information/credentials. 

As per claim 9, the combination of Clifton-Goertzel-Negishi-Dockter discloses 
the method according to claim 7. Dockter further discloses if the flag indicates in the 
negative, then performing a security evaluation on the request to modify the object 
(Dockter: column 4 line 45 - column 5 line 23: continue evaluation if the previous 
evaluation result is undetermined). It would have been obvious to one having ordinary 
skill in the art to combine the teachings of Dockter within the combination of Clifton- 
Goertzel-Negishi because it allows the system to avoid further evaluation if the requester 
cannot pass basic evaluations. 

As per claim 10, the combination of Clifton-Goertzel-Negishi-Dockter discloses 
the method according to claim 9. Goertzel further discloses the security evaluation 
comprises comparing the security token with the security descriptor to determine whether 
the requester is a member of any groups that have been granted permission to access the 
object (Goertzel: column 9 lines 5-43). It is obvious to one having ordinary skill in the art 
to adopt different types of security evaluation based on different user information. 
Therefore, it would have been obvious to one having ordinary skill in the art to combine 
the teachings of Goertzel within the combination of Clifton-Goertzel-Negishi-Dockter 
because it is well known in the art to execute access control based on user 
information/credentials as well as user's security level. 

As per claim 1 1, the combination of Clifton-Goertzel-Negishi-Dockter discloses 
the method according to claim 10. Negishi further discloses the security evaluation 
further comprises determining whether the request to modify the object is a modification 
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for which the requester is privileged on the first machine regardless of whether the 
requester is a member of any groups that have been granted permission to access the 
object (Negishi: column 3 lines 1-45: the security evaluation is based on the classification 
level of the users). It would have been obvious to one having ordinary skill in the art to 
combine the teachings of Negishi within the combination of Clifton-Goertzel-Negishi- 
Dockter because it is well known in the art to execute access control based on user 
information/credentials as well as user's security level. 

As per claim 12, the combination of Clifton-Goertzel-Negishi-Dockter discloses 
the method according to claim 1 1 . Goertzel further discloses the security evaluation 
further comprises if the requester is privileged to perform the request to modify the 
object, and the requested modification is a fundamental modification of the object, then 
denying the request if the first domain is not the owner domain for the object (Goertzel: 
column 1 line 55 - column 2 line 10; column 5 lines 1 1-67: the normal access token is 
restricted if the user is not within the domain or location authorized by the system). It 
would have been obvious to one having ordinary skill in the art to combine the teachings 
of Goertzel within the combination of Clifton-Goertzel-Negishi-Dockter because it 
prevents unauthorized parties to access network resources through unauthorized links. 

7. Claims 13 and 20 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton. 

As per claim 13, Sampson discloses a computer-readable medium having 
computer-executable components to protect domain data against unauthorized 
modification (Sampson: column 3 lines 20-43: access control system); comprising: a 
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shared data structure that spans a plurality of domains (Sampson: column 4 lines 13-21: 
multiple domains), at least two domains in the plurality of domains having a transitive 
trust relationship wherein a user authentication within one of the two domains is honored 
in the other of the two domains (Sampson: column 3 lines 20-33). Sampson does not 
explicitly disclose the shared data structure having at least one data store that is replicated 
among each of the plurality of domains. However, Negishi discloses that limitation 
(Negishi: column 2 lines 29-31: replica of shared data; column 4 lines 27-39: the number 
of computer is not limited to two and same components are provided to both computers 
so that means each computer has a replica or shared data). It would have been obvious to 
one having ordinary skill in the art to combine the teachings of Negishi within the system 
of Sampson because it prevents modification conflict to take place on the actual data by 
resolving the conflict detected in the replicated shared file storage. The combination of 
Sampson-Negishi does not explicitly disclose an object stored within the data store, the 
object having a plurality of attributes, at least one of the attributes being related to 
security access rights associated with the object, the security access rights including an 
owner domain identifier identifying one of the domains within the plurality of domains. 
However, Clifton discloses those limitations (Clifton: column 3 lines 8-52). It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Clifton 
within the combination of Sampson-Negishi because it increases security by prohibiting 
users from accessing data based on their domain information. Negishi further discloses 
a security system configured to receive a request to modify the object (Negishi: column 2 
lines 29-3 1 : a receiver for receiving modification request). It would have been obvious to 
one having ordinary skill in the art to combine the teachings of Negishi within the 
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combination of Sampson-Negishi-Clifton because it is obvious to receive an access 
request before the system can execute access control. Clifton further discloses to retrieve 
from the object the owner domain identifier, to compare the owner domain identifier with 
an identifier of a domain from which the request originated, and to reject the request to 
modify the object if the owner domain identifier does not match the identifier of the 
domain from which the request originated (Clifton: column 3 line 53 - column 4 line 26). 
Same rationale applies here as above. 

As per claim 20, the combination of Sampson-Negishi-Clifton discloses the 
computer readable medium according to claim 13. Clifton further discloses the at least 
one attribute comprises a security descriptor, and the owner domain identifier is part of 
an owner security identifier (Clifton: column 3 lines 8-53). It would have been obvious 
to one having ordinary skill in the art to combine the teachings of Clifton within the 
combination of Sampson-Negishi-Clifton because it increases security by prohibiting 
users from accessing data based on their domain information. 

8. Claims 14 and 15 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Sampson in view of Negishi and further in view of Clifton and further in view of Jiang et 
al. U.S. Pat. No. 6453354 (hereinafter Jiang) and further in view of Gupta et al. U.S. Pat. 
No. 6226752 (hereinafter Gupta). 

As per claim 14, the combination of Sampson-Negishi-Clifton discloses the 
computer readable medium according to claim 13. Sampson-Negishi-Clifton does not 
explicitly disclose the security access rights associated with the object further comprise 
an indicator that an attempt to access the object is to be evaluated within the domain 
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identified by the owner domain; and the security system is further configured to, prior to 
performing a security evaluation on a received request to modify the object, determine 
from the indicator whether the request to modify the object should be evaluated within 
the domain identified by the owner domain, and if so, to return a notification to the 
requestor that the security evaluation is to be evaluated within the domain identified by 
the owner domain. However, Jiang discloses access request to file system is forwarded to 
owner of the file if the request is not received by the owner of the file system (Jiang: 
column 13 lines 4-61). It would have been obvious to one having ordinary skill in the art 
to combine the teachings of Jiang within the combination of Sampson-Negishi-Clifton 
because it prevents a system from processing a request that it's not capable of processing. 
Jiang also discloses the first system forwards the request to another file system if it's not 
the owner of the requesting file. Jiang does not explicitly disclose redirecting the 
requestor to another system. However, Gupta discloses that limitation (Gupta: column 14 
line 65 - column 15 line 35: redirect the client requestor to the second server). It would 
have been obvious to one having ordinary skill in the art to combine the teachings of 
Gupta within the combination of Sampson-Negishi-Clifton- Jiang because it allows direct 
communication between two parties. 

As per claim 15, the combination of Sampson-Negishi-Clifton- Jiang-Gupta 
discloses the computer-readable medium according to claim 14. Gupta further discloses 
the notification to the requester comprises a referral message including an identification 
of the owner domain (Gupta: column 12 lines 13-24: redirect message). It would have 
been obvious to one having ordinary skill in the art to combine the teachings of Gupta 
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within the combination of Sampson-Negishi-Clifton- Jiang-Gupta because it helps the 
requestor to connect to the second server without much interaction. 



9. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson 
in view of Negishi and further in view of Clifton and further in view of Goertzel. 

As per claim 16, the combination of Sampson-Negishi-Clifton discloses the 
computer readable medium according to claim 13. Sampson-Negishi-Clifton does not 
explicitly disclose the security system if further configured to determine whether the 
request to modify the object originated within a particular domain of the plurality of 
domains, and if so, then to perform a standard security evaluation of the request to 
modify the object without resort to the owner domain. However, Goertzel discloses that 
limitation Goertzel: column 1 line 55 - column 2 line 10; column 5 lines 11-67: the 
normal access token is restricted if the user is not within the domain or location 
authorized by the system). It would have been obvious to one having ordinary skill in the 
art to combine the teachings of Goertzel within the combination of Sampson-Negishi- 
Clifton because it prevents unauthorized parties to access network resources through 
unauthorized links and it enhances security measures if the request is not originated from 
authorized domains or locations. 



10. Claim 17 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson 
in view of Negishi and further in view of Clifton and further in view of Goertzel and 
further in view of Bellovin et al. U.S. Pat. No. 5805820 (hereinafter Bellovin). 
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As per claim 17, the combination of Sampson-Negishi-Clifton-Goertzel discloses 
the computer readable medium according to claim 16. Sampson-Negishi-Clifton-Goertzel 
does not explicitly disclose the particular domain is a root domain of the shared data 
structure. However, Bellovin discloses that limitation (Bellovin: column 3 lines 16-59 
and figures 1 and 3: the root domain has the highest level of authority for domain names). 
It would have been obvious to one having ordinary skill in the art to combine the 
teachings of Bellovin within the combination of Sampson-Negishi-Clifton-Goertzel 
because since root domain has the highest level of authority, it has the authority to 
process all of the access requests. 



11. Claim 18 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson 
in view of Negishi and further in view of Clifton and further in view of Antur et al. U.S. 
Pat. No. 6243815 (hereinafter Antur). 

As per claim 18, the combination of Sampson-Negishi-Clifton discloses the 
computer readable medium according to claim 13. Sampson-Negishi-Clifton does not 
explicitly disclose the shared data structure comprises a directory service and wherein the 
at least one data store comprises configuration data associated with the directory service. 
However, Antur discloses that limitation (Antur: column 2 lines 35-49: storing 
configuration data by network directory service server). It would have been obvious to 
one having ordinary skill in the art to combine the teachings of Antur within the 
combination of Sampson-Negishi-Clifton because it improves firewall configuration by 
updating and reconfiguring network firewall at a single administration point. 
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12. Claim 19 is rejected under 35 U.S.C. 103(a) as being unpatentable over Sampson 
in view of Negishi and further in view of Clifton and further in view of Lumelsky et al. 
U.S. Pat. No. 6466980 (hereinafter Lumelsky). 

As per claim 19, the combination of Sampson-Negishi-Clifton discloses the 
computer readable medium according to claim 13. Sampson-Negishi-Clifton does not 
explicitly disclose the shared data structure comprises a directory service and wherein the 
at least one data store comprises schema data associated with the directory service. 
However, Lumelsky discloses that limitation (Lumelsky: column 9 line 22 - column 10 
line 3: replica directory maintained by directory service. ..including schema and data). It 
would have been obvious to one having ordinary skill in the art to combine the teachings 
of Lumelsky within the combination of Sampson-Negishi-Clifton because provides 
adaptive resource management function for distributed resources that could shape system 
capacity to the needs of the environment. 



Conclusion 

13. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Goertzel et al. PCT No. WO99/65207 discloses method and system of security 
location discrimination. 

Martin, Jr. U.S. Pat. No. 6421686 discloses method of replicating data records. 

Glasser et al. U.S. Pat. No. 6061684 discloses method and system for controlling 
user access to a resource in a networked computing environment. 
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Strentzsch et al. U.S. Pat. No. 6256671 discloses method and apparatus for 
providing network access control using a domain name system. 

He et al. U.S. Pat. No. 6088451 discloses security system and method for network 
element access. 

May et al. U.S. Pat. No. 6574674 discloses method and system for managing data 
while sharing application programs. 

Cromer et al. U.S. Pat. No. 6701349 discloses data processing system and method 
for prohibiting unauthorized modification of transmission priority levels. 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shin-Hon Chen whose telephone number is (703) 305- 
8654. The examiner can normally be reached on Monday through Friday 8:00am to 
4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (703) 305-9648. The fax phone number for 
the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 
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